Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This article describes the procedure to create an IPsec connection between an AWS VPN Gateway and XG Firewall version 18.
The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces. Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.
The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces.
Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.
In the "Download configuration" blade, select the following:
In the left navigation pane:
In the bottom navigation:
Click on Add route and configure the following:
In the IPSec policies blade, configure the following:
In our scenario, configure the following Phase 1 parameters on Sophos XG:
In our scenario, configure the following Phase 2 parameters on Sophos XG:
Scroll down to configure the parameters for Dead Peer Detection.
Configure the following settings:
General Settings
Encryption
Gateway Settings
Advanced
In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
Source and destination
Source
In the "Network" configuration window, configure the following:
In the "Add unicast route" window, configure the following:
Hi,
I have a few questions regarding this config:
1. How do you configure the static route in a failover situation as you can only have 1 interface linked to the static route?
2. We seem to have issues with AWS initating a rekey before the Sophos XG does and sometime it happens in parallel. Would this be resolved by having a shorter key life than 28,800 configure in the policy?
3. We are now getting these errors although it doesn't seem to cause an issue with traffic flow, how do we resolve this?
CHILD_SA INVALID_ID_INFORMATION retry initiate CHILD_SA in 60 sec
Thanks,
Max